Bitcoin Forum
December 10, 2016, 08:57:12 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Mt.Gox: No SQL injection happened, switch to SHA-512, offline until 8:00 am GMT  (Read 5028 times)
romsek
Newbie
*
Offline Offline

Activity: 11


View Profile
June 20, 2011, 02:15:34 AM
 #1

Quote
[Update - 2:06 GMT] What we know and what is being done.
  • It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database. The site was not compromised with a SQL injection as many are reporting, so in effect the site was not hacked.
  • Two months ago we migrated from MD5 hashing to freeBSD MD5 salted hashing. The unsalted user accounts in the wild are ones that haven't been accessed in over 2 months and are considered idle. Once we are back up we will have implemented SHA-512 multi-iteration salted hashing and all users will be required to update to a new strong password.
  • We have been working with Google to ensure any gmail accounts associated with Mt.Gox user accounts have been locked and need to be reverified.
  • Mt.Gox will continue to be offline as we continue our investigation, at this time we are pushing it to 8:00am GMT.
  • When Mt.Gox comes back online, we will be putting all users through a new security measure to authenticate the users. This will be a mix of matching the last IP address that accessed the account, verifying their email address, account name and old password. Users will then be prompted to enter in a new strong password.
  • Once Mt.Gox is back online,  trades  218869~222470 will be reverted.

We will continue to update as we find new information.

Source: https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback
1481403432
Hero Member
*
Offline Offline

Posts: 1481403432

View Profile Personal Message (Offline)

Ignore
1481403432
Reply with quote  #2

1481403432
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481403432
Hero Member
*
Offline Offline

Posts: 1481403432

View Profile Personal Message (Offline)

Ignore
1481403432
Reply with quote  #2

1481403432
Report to moderator
1481403432
Hero Member
*
Offline Offline

Posts: 1481403432

View Profile Personal Message (Offline)

Ignore
1481403432
Reply with quote  #2

1481403432
Report to moderator
DanielC
Newbie
*
Offline Offline

Activity: 10


View Profile
June 20, 2011, 02:19:09 AM
 #2

I guess that makes me feel somewhat better...

18tx3FHNrPEga3VZzDVkcCgHxXjkbDRCF8
Oldminer
Legendary
*
Offline Offline

Activity: 1022



View Profile
June 20, 2011, 02:19:40 AM
 #3

lol it will be fun trying to verify my IP seeing as my VPN gives me a new one everytime I connect to the net..hope its not this hard...

If you like my post please feel free to give me some positive rep https://bitcointalk.org/index.php?action=trust;u=18639
Tip me BTC: 1FBmoYijXVizfYk25CpiN8Eds9J6YiRDaX
Astro
Sr. Member
****
Offline Offline

Activity: 242



View Profile
June 20, 2011, 02:22:39 AM
 #4

Stop hiring the worst security auditors in the world.
Chick
Member
**
Offline Offline

Activity: 70


View Profile
June 20, 2011, 02:28:18 AM
 #5

Stop hiring the worst security auditors in the world.

They just said it was a "financial auditor".

WTF? IKR?

dust
Hero Member
*****
Offline Offline

Activity: 840



View Profile WWW
June 20, 2011, 02:30:08 AM
 #6

100-200 BTC + ~1000 USD stolen.  Doesn't seem too bad...

Cryptocoin Mining Info | OTC | PGP | Twitter | freenode: dust-otc | BTC: 1F6fV4U2xnpAuKtmQD6BWpK3EuRosKzF8U
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
June 20, 2011, 02:31:33 AM
 #7

Quote
It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised.

Someone needs to audits the one who audits...  Roll Eyes
Epinnoia
Full Member
***
Offline Offline

Activity: 207


View Profile
June 20, 2011, 02:32:20 AM
 #8

If the auditor was attacked by a hacker, how was it that the hacker knew that the auditor's machine was even bitcoin-related?  Something here doesn't pass the sniff test.

This screams 'inside job'.


My first miner -> ATI 4550 (7.2 Mh/sec): 
https://www.facebook.com/groups/cryptospeculators/
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
June 20, 2011, 02:35:03 AM
 #9

For me it was Kevin Mitnick disguised as janitor...
aral
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 20, 2011, 02:37:32 AM
 #10

Yeah, right.  The only crackable stuff they got were some idle accounts yet they managed to drive the price to 0.01$ and steal a bucketload of BTC.

And... you used unsalted md5?  Really?  Oh but that was two months ago so it's ok? Undecided Fuck me.  
Insuremeplz
Member
**
Offline Offline

Activity: 113


View Profile
June 20, 2011, 02:42:21 AM
 #11

100-200 BTC + ~1000 USD stolen.  Doesn't seem too bad...

I don't believe this, unfortunately Sad
DonnyCMU
Full Member
***
Offline Offline

Activity: 143



View Profile
June 20, 2011, 02:49:59 AM
 #12

100-200 BTC + ~1000 USD stolen.  Doesn't seem too bad...

So.... could they, or someone, explain about the 200,000 -400,000 Bitcoins that was sold off, and drove the price down to 1 cent???
tehcodez
Jr. Member
*
Offline Offline

Activity: 42


View Profile
June 20, 2011, 02:52:38 AM
 #13

I think he mentioned that
haydent
Full Member
***
Offline Offline

Activity: 154



View Profile
June 20, 2011, 02:53:37 AM
 #14

is there a way to find out your trade number ? maybe from trade notification email or something ?

Quote
Once Mt.Gox is back online,  trades  218869~222470 will be reverted.

2x Gigabyte 6950 OC @ 920/450 w/ ati tray tools (1 shader modded) - 760Mhs on ozco.in 0% fee aus pool
btc: 1HS5Brzcsh7XkJn566XYbvfpa2JuBRBdss
Epinnoia
Full Member
***
Offline Offline

Activity: 207


View Profile
June 20, 2011, 03:06:22 AM
 #15

The excuse given was to blame the auditor.  And for privacy reasons, they won't name the auditor.

This doesn't make any sense at all.  What use is an audit performed by unnamed entities?  It's the credentials of the auditor which give credence to the audit they perform, is it not?


My first miner -> ATI 4550 (7.2 Mh/sec): 
https://www.facebook.com/groups/cryptospeculators/
semarjt
Newbie
*
Offline Offline

Activity: 27


View Profile
June 20, 2011, 03:18:24 AM
 #16

The excuse given was to blame the auditor.  And for privacy reasons, they won't name the auditor.

This doesn't make any sense at all.  What use is an audit performed by unnamed entities?  It's the credentials of the auditor which give credence to the audit they perform, is it not?




What use is it for an auditor to have password hashes?
tiberiandusk
Hero Member
*****
Offline Offline

Activity: 580


The North Remembers


View Profile WWW
June 20, 2011, 03:20:03 AM
 #17

100-200 BTC + ~1000 USD stolen.  Doesn't seem too bad...

So.... could they, or someone, explain about the 200,000 -400,000 Bitcoins that was sold off, and drove the price down to 1 cent???

As far as I have gathered those transactions were internal to Mt. Gox and were never paid out. They weren't actual bitcoin transactions.

Bitcoin Auction House http://www.BitBid.net BTC - 1EwfBVC6BwA6YeqcYZmm3htwykK3MStW6N | LTC - LdBpJJHj4WSAsUqaTbwyJQFiG1tVjo4Uys Don't get Goxed.
bitcoinminer
Sr. Member
****
Offline Offline

Activity: 322



View Profile
June 20, 2011, 03:20:58 AM
 #18

May not have been an SQL injection, but it was sure as hell a Hot Beef Injection!!!

Be fearful when others are greedy, and greedy when others are fearful.

-Warren Buffett
NO_SLAVE
Jr. Member
*
Offline Offline

Activity: 56


DEBT IS SLAVERY


View Profile
June 20, 2011, 03:22:13 AM
 #19

is there a way to find out your trade number ? maybe from trade notification email or something ?

Quote
Once Mt.Gox is back online,  trades  218869~222470 will be reverted.

yes THIS ^^^

is there a database of trades and numbers?
Astro
Sr. Member
****
Offline Offline

Activity: 242



View Profile
June 20, 2011, 03:22:24 AM
 #20

May not have been an SQL injection, but it was sure as hell a Hot Beef Injection!!!

zing
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!